148.113.128.110📋 Copy

# IPDEBRIEF INTELLIGENCE BRIEFING

Target: 148.113.128.110/32

Classification: Moderate Risk (Score: 40)

Date: Current intelligence cycle

---

## EXECUTIVE SUMMARY

IP 148.113.128.110 is associated with Ahrefs Pte Ltd (AS16276) and operates within OVH hosting infrastructure. The IP resolves to ahrefs.net subdomain proxy (proxy-ca014-san110.ahrefs.net) with no active services detected. While the owning organization is legitimate, the IP exhibits network-level abuse indicators and geolocation inconsistencies requiring SOC monitoring.

---

## OWNERSHIP & INFRASTRUCTURE

• ASN: 16276 (OVH SAS)
• Organization: Dmytro, Ahrefs Pte Ltd
• Netname: OVH-CUST-281059693
• CIDR Block: 148.113.128.0/24
• RIR: ARIN
• Network Role: Hosting provider infrastructure (firewalled/no services detected)
• Infrastructure Type: Cloud/hosting environment

---

## GEOLOCATION VALIDATION

Status: INCONSISTENT

• Reported Location: Singapore (claimed)
• Validation Source: Canada (CA)
• Distance Discrepancy: 6,082 km
• RTT Violation: Observed RTT 26.0ms < minimum possible 121.6ms for claimed distance
• Probe Count: 5
• Plausibility: Geo-plausible = FALSE

*Note: Geolocation data conflicts indicate either misconfiguration, VPN/proxy usage, or data integrity issues.*

---

## THREAT INDICATORS

• Risk Score: 40 (Moderate)
• Blacklist Count: 0
• DNSBL Listed: 1 of 8 total lists
• Tor Exit Node: No
• Known Attacker: No
• Spam Source: No
• Known Campaigns: None detected
• Abuse Confidence Score: Not available
• Max Severity: High (from DNSBL listing)

---

## DNS & NETWORK SERVICES

• PTR Hostname: proxy-ca014-san110.ahrefs.net
• Forward Resolution: Confirmed to proxy-ca014-san110.ahrefs.net
• Domain: ahrefs.net
• Open Ports: None detected
• TLS Certificates: None detected
• HTTP Services: None detected
• DNSSEC Valid: Yes
• CAA Records: Present

*Note: IP is firewalled with no accessible services despite hosting designation.*

---

## NETWORK NEIGHBORHOOD ANALYSIS (148.113.128.0/24)

• Abuse Density: 0.6875 (High abuse subnet)
• Classification: high_abuse
• Total Siblings: 256
• Active Siblings: 208
• Threat Siblings: 176
• Subnet Risk Distribution: Medium (100%), No high/low risk peers
• Inherited Risk Score: 27

*The /24 subnet shows elevated abuse activity with 176 threat-sibling IPs indicating potential compromise or abuse within the same network block.*

---

## OBSERVATION HISTORY

Total Observations: 22 signals recorded

Recent Key Signals:

1. 2026-06-28: Domain resolution to ahrefs.net with valid CAA records (confidence 0.80)

2. 2026-06-20: Subnet classified as high_abuse (0.6875 density, 27 inherited risk)

3. 2026-06-20: Geolocation violation detected (RTT mismatch)

4. 2026-06-20: DNSBL listing with high severity across 8 total lists

Temporal Analysis:

• Ownership changes: 0
• Threat persistence days: 0
• Is persistently malicious: No
• Threat observation count: 1

---

## RELATIONSHIP GRAPH

Total Relationships: 38

• Primary Relationship: Same Network (OVH-CUST-281059693)
• Relationship Types: Network associations (38 instances)
• Associated Hostnames: proxy-ca014-san110.ahrefs.net

---

## CONTROL PLANE ANALYSIS

• Origin ASN: 16276
• BGP Prefix: 148.113.128.0/17
• Route Stability: Unstable (isRouteStable: false)
• Route Changes (30d): 0
• RPKI State: Not validated
• IRR Consistency: Not validated
• Delegation Age: Not available
• MOAS: No

---

## RECOMMENDED ACTIONS

IMMEDIATE:

1. Monitor subnet 148.113.128.0/24 for lateral movement (176 threat siblings detected)

2. Verify geolocation claims against known Ahrefs infrastructure

3. Block at DNSBL if in scope (1 listing with high severity)

FIREWALL RULES:

```bash

# Allow established traffic, deny new unsolicited connections

iptables -A INPUT -i eth0 -p tcp --dport 443 -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A INPUT -i eth0 -p tcp --dport 443 -m state --state NEW -j DROP

iptables -A INPUT -i eth0 -p tcp --dport 80 -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A INPUT -i eth0 -p tcp --dport 80 -m state --state NEW -j DROP

iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW -j DROP

```

THREAT INTELLIGENCE MONITORING:

• Track DNSBL listing changes
• Monitor for new threat sibling activity in /24
• Verify Ahrefs corporate communication channels if contacted

---

##

THREAT INTELLIGENCE MONITORING:

• Track DNSBL listing changes
• Monitor for new threat sibling activity in /24
• Verify Ahrefs corporate communication channels if contacted

INDICATOR OF COMPROMISE (IOC) HANDOFF

Status: Not applicable (no direct attacker indicators)

TTPs: None identified

MITRE ATT&CK: No correlations detected

SOC ANALYST NOTES

This IP requires monitoring due to neighborhood-level abuse patterns rather than confirmed malicious activity. The legitimate domain ownership (ahrefs.net) combined with high-density abuse in the /24 suggests compromised or misconfigured peers rather than primary malicious infrastructure.

Priority: LOW-MEDIUM

False Positive Risk: MODERATE

Context: Legitimate hosting provider infrastructure with neighborhood contamination

---

## END OF BRIEFING

Generated by: IPDebrief Intelligence Platform

Classification: INTERNAL USE ONLY

Distribution: Security Operations Center (SOC) Team

---

## APPENDIX: DATA SOURCES

• Geolocation: Multiple sources (conflicting data)
• Threat Feeds: DNSBL checks (1/8 lists)
• Historical Data: 22 observations across multiple timeframes
• Network Analysis: BGP, DNS, and neighbor mapping complete

END DOCUMENT

This summary was generated by AI and may contain inaccuracies. Verify critical details independently.